Sofacy (also known as APT28, Pawn Storm, Tsar
Team, Fancy Bear, Sednit and Strontium) is a cyber espionage group. Its
behaviour has been classified as an advanced persistent threat. They employ
zero-day vulnerabilities and use spear phishing and malware to compromise
targets. Preferred targets are web-based email services. The threat group is
known to target government, military, and security organizations. Sofacy route
their attacks through relatively small supply chain companies was effective in
this instance, as the smaller orgainisations did not realise the risks
associated with remote access, nor their role as an infiltration vector to other
companies.

Mitigation

1.Access Levels:
It is important to identify and reevaluate the access levels that third party
suppliers have to a corporate network. This includes the isolation of services
and systems, to reduce any possible traversal through the network.

2.Role-Based
Monitoring: Parts of the attacks listed above operated outside of standard
working hours and role based monitoring could be beneficial in order to identify
any signs of compromise. For all external supplier accounts, developing a
baseline for elements such as logs on times and programs accessed could also be
beneficial, especially if automating alerts when abnormalities arise.

3.Two Factor
Authentications(2FA): Both
breaches were possible due to configuration of the remote access tools being
legitimately used. Implementing 2FA for any external access is a feature which
may deter and even prevent malicious access.

4.Anti-virus:
the malware used by Sofacy is well known to security vendors; however, the
actors behind these campaigns are known to alter the signatures of this malware
to evade AV detection. It is therefore important that organizations ensure their
AV is regularly updated.

5.Patching:
the Sofacy actors use exploits both known and 0-days. Companies should ensure
that they have a comprehensive patching policy in place that is adhered to.

6.Education:
Phishing emails comprise a large portion of Sofacy’s infiltration strategy.
Companies should ensure that users are educated on how to identify phishing
emails and what to do if they think they have received one. It is also important
that if an employee believes they have opened an attachment or clicked on a
link, they know they can report the potential compromise without fear of
repercussions.

7.Third party risk
assessments: develop and conduct third party risk assessments. It is
important to measure the risk a third party has, and develop a better
understanding of the security implemented. Re-evaluate access on a regular
basis.